Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-bcrypt for openSUSE:Factory checked in at 2026-04-13 23:17:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-bcrypt (Old) and /work/SRC/openSUSE:Factory/.python-bcrypt.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bcrypt" Mon Apr 13 23:17:56 2026 rev:19 rq:1307706 version:5.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-bcrypt/python-bcrypt.changes 2025-09-11 14:39:32.984327448 +0200 +++ /work/SRC/openSUSE:Factory/.python-bcrypt.new.21863/python-bcrypt.changes 2026-04-13 23:17:58.545869964 +0200 @@ -1,0 +2,12 @@ +Mon Sep 29 09:23:35 UTC 2025 - Dirk Müller <[email protected]> + +- update to 5.0.0: + * Bumped MSRV to 1.74. + * Added support for Python 3.14 and free-threaded Python 3.14. + * Added support for Windows on ARM. + * Passing hashpw a password longer than 72 bytes now raises + a ValueError. Previously the password was silently truncated, + following the behavior of the original OpenBSD bcrypt + implementation. + +------------------------------------------------------------------- Old: ---- bcrypt-4.3.0.tar.gz New: ---- bcrypt-5.0.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-bcrypt.spec ++++++ --- /var/tmp/diff_new_pack.uJr0p6/_old 2026-04-13 23:17:59.277900149 +0200 +++ /var/tmp/diff_new_pack.uJr0p6/_new 2026-04-13 23:17:59.281900314 +0200 @@ -20,7 +20,7 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' %{?sle15_python_module_pythons} Name: python-bcrypt -Version: 4.3.0 +Version: 5.0.0 Release: 0 Summary: BSD type 2a and 2b password hashing License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.uJr0p6/_old 2026-04-13 23:17:59.349903118 +0200 +++ /var/tmp/diff_new_pack.uJr0p6/_new 2026-04-13 23:17:59.353903284 +0200 @@ -1,10 +1,5 @@ <services> - <service mode="manual" name="tar_scm"> - <param name="url">https://github.com/pyca/bcrypt/</param> - <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param> - <param name="scm">git</param> - <param name="revision">4.3.0</param> - </service> + <service name="download_files" mode="manual"/> <service name="cargo_vendor" mode="manual"> <param name="srcdir">bcrypt/src/_bcrypt</param> <param name="compression">gz</param> ++++++ bcrypt-4.3.0.tar.gz -> bcrypt-5.0.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/PKG-INFO new/bcrypt-5.0.0/PKG-INFO --- old/bcrypt-4.3.0/PKG-INFO 2025-02-28 02:17:09.378459200 +0100 +++ new/bcrypt-5.0.0/PKG-INFO 2025-09-25 21:42:10.951664200 +0200 @@ -1,6 +1,6 @@ -Metadata-Version: 2.2 +Metadata-Version: 2.4 Name: bcrypt -Version: 4.3.0 +Version: 5.0.0 Summary: Modern password hashing for your software and your servers Author-email: The Python Cryptographic Authority developers <[email protected]> License: Apache-2.0 @@ -17,6 +17,8 @@ Classifier: Programming Language :: Python :: 3.11 Classifier: Programming Language :: Python :: 3.12 Classifier: Programming Language :: Python :: 3.13 +Classifier: Programming Language :: Python :: 3.14 +Classifier: Programming Language :: Python :: Free Threading :: 3 - Stable Requires-Python: >=3.8 Description-Content-Type: text/x-rst License-File: LICENSE @@ -24,6 +26,7 @@ Requires-Dist: pytest!=3.3.0,>=3.2.1; extra == "tests" Provides-Extra: typecheck Requires-Dist: mypy; extra == "typecheck" +Dynamic: license-file bcrypt ====== @@ -78,8 +81,18 @@ Changelog ========= -Unreleased ----------- +5.0.0 +----- + +* Bumped MSRV to 1.74. +* Added support for Python 3.14 and free-threaded Python 3.14. +* Added support for Windows on ARM. +* Passing ``hashpw`` a password longer than 72 bytes now raises a + ``ValueError``. Previously the password was silently truncated, following the + behavior of the original OpenBSD ``bcrypt`` implementation. + +4.3.0 +----- * Dropped support for Python 3.7. * We now support free-threaded Python 3.13. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/README.rst new/bcrypt-5.0.0/README.rst --- old/bcrypt-4.3.0/README.rst 2025-02-28 02:17:02.000000000 +0100 +++ new/bcrypt-5.0.0/README.rst 2025-09-25 21:42:04.000000000 +0200 @@ -51,8 +51,18 @@ Changelog ========= -Unreleased ----------- +5.0.0 +----- + +* Bumped MSRV to 1.74. +* Added support for Python 3.14 and free-threaded Python 3.14. +* Added support for Windows on ARM. +* Passing ``hashpw`` a password longer than 72 bytes now raises a + ``ValueError``. Previously the password was silently truncated, following the + behavior of the original OpenBSD ``bcrypt`` implementation. + +4.3.0 +----- * Dropped support for Python 3.7. * We now support free-threaded Python 3.13. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/pyproject.toml new/bcrypt-5.0.0/pyproject.toml --- old/bcrypt-4.3.0/pyproject.toml 2025-02-28 02:17:02.000000000 +0100 +++ new/bcrypt-5.0.0/pyproject.toml 2025-09-25 21:42:04.000000000 +0200 @@ -11,7 +11,7 @@ [project] name = "bcrypt" # When updating this, also update lib.rs -version = "4.3.0" +version = "5.0.0" authors = [ {name = "The Python Cryptographic Authority developers", email = "[email protected]"} ] @@ -30,6 +30,8 @@ "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: 3.14", + "Programming Language :: Python :: Free Threading :: 3 - Stable", ] requires-python = ">= 3.8" dynamic = ["readme"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/src/_bcrypt/Cargo.lock new/bcrypt-5.0.0/src/_bcrypt/Cargo.lock --- old/bcrypt-4.3.0/src/_bcrypt/Cargo.lock 2025-02-28 02:17:02.000000000 +0100 +++ new/bcrypt-5.0.0/src/_bcrypt/Cargo.lock 2025-09-25 21:42:04.000000000 +0200 @@ -4,9 +4,9 @@ [[package]] name = "autocfg" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "base64" @@ -16,9 +16,9 @@ [[package]] name = "bcrypt" -version = "0.17.0" +version = "0.17.1" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "92758ad6077e4c76a6cadbce5005f666df70d4f13b19976b1a8062eef880040f" +checksum = "abaf6da45c74385272ddf00e1ac074c7d8a6c1a1dda376902bd6a427522a8b2c" dependencies = [ "base64", "blowfish", @@ -51,12 +51,6 @@ ] [[package]] -name = "bitflags" -version = "2.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36" - -[[package]] name = "block-buffer" version = "0.10.4" source = "registry+https://github.com/rust-lang/crates.io-index"; @@ -83,9 +77,9 @@ [[package]] name = "cfg-if" -version = "1.0.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +checksum = "2fd1289c04a9ea8cb22300a459a72a385d7c73d3259e2ed7dcb2af674838cfa9" [[package]] name = "cipher" @@ -139,14 +133,14 @@ [[package]] name = "getrandom" -version = "0.3.1" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "43a49c392881ce6d5c3b8cb70f98717b7c07aabbdff06687b9030dbfbe2725f8" +checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4" dependencies = [ "cfg-if", "libc", + "r-efi", "wasi", - "windows-targets", ] [[package]] @@ -157,9 +151,9 @@ [[package]] name = "indoc" -version = "2.0.5" +version = "2.0.6" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "b248f5224d1d606005e02c97f5aa4e88eeb230488bcc03bc9ca4d7991399f2b5" +checksum = "f4c7245a08504955605670dbf141fceab975f15ca21570696aebe9d2e71576bd" [[package]] name = "inout" @@ -172,9 +166,9 @@ [[package]] name = "libc" -version = "0.2.170" +version = "0.2.176" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "875b3680cb2f8f71bdcf9a30f38d48282f5d3c95cbf9b3fa57269bb5d5c06828" +checksum = "58f929b4d672ea937a23a1ab494143d968337a5f47e56d0815df1e0890ddf174" [[package]] name = "memoffset" @@ -187,9 +181,9 @@ [[package]] name = "once_cell" -version = "1.20.3" +version = "1.21.3" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e" +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d" [[package]] name = "pbkdf2" @@ -202,26 +196,25 @@ [[package]] name = "portable-atomic" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e" +checksum = "f84267b20a16ea918e43c6a88433c2d54fa145c92a811b5b047ccbe153674483" [[package]] name = "proc-macro2" -version = "1.0.93" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "60946a68e5f9d28b0dc1c21bb8a97ee7d018a8b322fa57838ba31cc878e22d99" +checksum = "89ae43fd86e4158d6db51ad8e2b80f313af9cc74f5c0e03ccb87de09998732de" dependencies = [ "unicode-ident", ] [[package]] name = "pyo3" -version = "0.23.5" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "7778bffd85cf38175ac1f545509665d0b9b92a198ca7941f131f85f7a4f9a872" +checksum = "7ba0117f4212101ee6544044dae45abe1083d30ce7b29c4b5cbdfa2354e07383" dependencies = [ - "cfg-if", "indoc", "libc", "memoffset", @@ -235,19 +228,18 @@ [[package]] name = "pyo3-build-config" -version = "0.23.5" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "94f6cbe86ef3bf18998d9df6e0f3fc1050a8c5efa409bf712e661a4366e010fb" +checksum = "4fc6ddaf24947d12a9aa31ac65431fb1b851b8f4365426e182901eabfb87df5f" dependencies = [ - "once_cell", "target-lexicon", ] [[package]] name = "pyo3-ffi" -version = "0.23.5" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "e9f1b4c431c0bb1c8fb0a338709859eed0d030ff6daa34368d3b152a63dfdd8d" +checksum = "025474d3928738efb38ac36d4744a74a400c901c7596199e20e45d98eb194105" dependencies = [ "libc", "pyo3-build-config", @@ -255,9 +247,9 @@ [[package]] name = "pyo3-macros" -version = "0.23.5" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "fbc2201328f63c4710f68abdf653c89d8dbc2858b88c5d88b0ff38a75288a9da" +checksum = "2e64eb489f22fe1c95911b77c44cc41e7c19f3082fc81cce90f657cdc42ffded" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -267,9 +259,9 @@ [[package]] name = "pyo3-macros-backend" -version = "0.23.5" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "fca6726ad0f3da9c9de093d6f116a93c1a38e417ed73bf138472cf4064f72028" +checksum = "100246c0ecf400b475341b8455a9213344569af29a3c841d29270e53102e0fcf" dependencies = [ "heck", "proc-macro2", @@ -280,18 +272,24 @@ [[package]] name = "quote" -version = "1.0.38" +version = "1.0.40" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "0e4dccaaaf89514f546c693ddc140f729f958c247918a13380cccc6078391acc" +checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d" dependencies = [ "proc-macro2", ] [[package]] +name = "r-efi" +version = "5.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index"; +checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" + +[[package]] name = "sha2" -version = "0.10.8" +version = "0.10.9" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" +checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" dependencies = [ "cfg-if", "cpufeatures", @@ -306,9 +304,9 @@ [[package]] name = "syn" -version = "2.0.98" +version = "2.0.106" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "36147f1a48ae0ec2b5b3bc5b537d267457555a10dc06f3dbc8cb11ba3006d3b1" +checksum = "ede7c438028d4436d71104916910f5bb611972c5cfd7f89b8300a8186e6fada6" dependencies = [ "proc-macro2", "quote", @@ -317,9 +315,9 @@ [[package]] name = "target-lexicon" -version = "0.12.16" +version = "0.13.3" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" +checksum = "df7f62577c25e07834649fc3b39fafdc597c0a3527dc1c60129201ccfcbaa50c" [[package]] name = "typenum" @@ -329,15 +327,15 @@ [[package]] name = "unicode-ident" -version = "1.0.17" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "00e2473a93778eb0bad35909dff6a10d28e63f792f16ed15e404fca9d5eeedbe" +checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d" [[package]] name = "unindent" -version = "0.2.3" +version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "c7de7d73e1754487cb58364ee906a499937a0dfabd86bcb980fa99ec8c8fa2ce" +checksum = "7264e107f553ccae879d21fbea1d6724ac785e8c3bfc762137959b5802826ef3" [[package]] name = "version_check" @@ -347,85 +345,27 @@ [[package]] name = "wasi" -version = "0.13.3+wasi-0.2.2" +version = "0.14.7+wasi-0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "26816d2e1a4a36a2940b96c5296ce403917633dff8f3440e9b236ed6f6bacad2" +checksum = "883478de20367e224c0090af9cf5f9fa85bed63a95c1abf3afc5c083ebc06e8c" dependencies = [ - "wit-bindgen-rt", + "wasip2", ] [[package]] -name = "windows-targets" -version = "0.52.6" +name = "wasip2" +version = "1.0.1+wasi-0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" +checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7" dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", + "wit-bindgen", ] [[package]] -name = "windows_aarch64_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" - -[[package]] -name = "windows_i686_gnu" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" - -[[package]] -name = "windows_i686_gnullvm" -version = "0.52.6" +name = "wit-bindgen" +version = "0.46.0" source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" - -[[package]] -name = "windows_i686_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" - -[[package]] -name = "windows_x86_64_gnu" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" - -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" - -[[package]] -name = "windows_x86_64_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" - -[[package]] -name = "wit-bindgen-rt" -version = "0.33.0" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c" -dependencies = [ - "bitflags", -] +checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59" [[package]] name = "zeroize" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/src/_bcrypt/Cargo.toml new/bcrypt-5.0.0/src/_bcrypt/Cargo.toml --- old/bcrypt-4.3.0/src/_bcrypt/Cargo.toml 2025-02-28 02:17:02.000000000 +0100 +++ new/bcrypt-5.0.0/src/_bcrypt/Cargo.toml 2025-09-25 21:42:04.000000000 +0200 @@ -3,10 +3,12 @@ version = "0.1.0" authors = ["The bcrypt developers <[email protected]>"] edition = "2018" +# This specifies the MSRV +rust-version = "1.74.0" publish = false [dependencies] -pyo3 = { version = "0.23.5", features = ["abi3"] } +pyo3 = { version = "0.26", features = ["abi3"] } bcrypt = "0.17" bcrypt-pbkdf = "0.10.0" base64 = "0.22.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/src/_bcrypt/src/lib.rs new/bcrypt-5.0.0/src/_bcrypt/src/lib.rs --- old/bcrypt-4.3.0/src/_bcrypt/src/lib.rs 2025-02-28 02:17:02.000000000 +0100 +++ new/bcrypt-5.0.0/src/_bcrypt/src/lib.rs 2025-09-25 21:42:04.000000000 +0200 @@ -26,13 +26,12 @@ ); #[pyo3::pyfunction] -#[pyo3(signature = (rounds=None, prefix=None))] +#[pyo3(signature = (rounds=12, prefix=None), text_signature = "(rounds=12, prefix=b'2b')")] fn gensalt<'p>( py: pyo3::Python<'p>, - rounds: Option<u16>, + rounds: u16, prefix: Option<&[u8]>, ) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> { - let rounds = rounds.unwrap_or(12); let prefix = prefix.unwrap_or(b"2b"); if prefix != b"2a" && prefix != b"2b" { @@ -78,7 +77,16 @@ // bytes on the updated prefix $2b$, but leaving $2a$ unchanged for // compatibility. However, pyca/bcrypt 2.0.0 *did* correctly truncate inputs // on $2a$, so we do it here to preserve compatibility with 2.0.0 - let password = &password[..password.len().min(72)]; + // Silent truncation is _probably_ not the best idea, even if the "original" + // OpenBSD implementation did/does this. + // We prefer to raise a ValueError in this case - if the user _wants_ to truncate, + // they can always do so manually by passing s[:72] instead of s into hashpw(). + + if password.len() > 72 { + return Err(pyo3::exceptions::PyValueError::new_err( + "password cannot be longer than 72 bytes, truncate manually if necessary (e.g. my_password[:72])", + )); + } // salt here is not just the salt bytes, but rather an encoded value // containing a version number, number of rounds, and the salt. @@ -118,7 +126,7 @@ .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?; let hashed = py - .allow_threads(|| bcrypt::hash_with_salt(password, cost, raw_salt)) + .detach(|| bcrypt::hash_with_salt(password, cost, raw_salt)) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Invalid salt"))?; Ok(pyo3::types::PyBytes::new( py, @@ -175,7 +183,7 @@ } pyo3::types::PyBytes::new_with(py, desired_key_bytes, |output| { - py.allow_threads(|| { + py.detach(|| { bcrypt_pbkdf::bcrypt_pbkdf(password, salt, rounds, output).unwrap(); }); Ok(()) @@ -202,7 +210,7 @@ // When updating this, also update pyproject.toml // This isn't named __version__ because passlib treats the existence of // that attribute as proof that we're a different module - m.add("__version_ex__", "4.3.0")?; + m.add("__version_ex__", "5.0.0")?; let author = "The Python Cryptographic Authority developers"; m.add("__author__", author)?; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/src/bcrypt.egg-info/PKG-INFO new/bcrypt-5.0.0/src/bcrypt.egg-info/PKG-INFO --- old/bcrypt-4.3.0/src/bcrypt.egg-info/PKG-INFO 2025-02-28 02:17:09.000000000 +0100 +++ new/bcrypt-5.0.0/src/bcrypt.egg-info/PKG-INFO 2025-09-25 21:42:10.000000000 +0200 @@ -1,6 +1,6 @@ -Metadata-Version: 2.2 +Metadata-Version: 2.4 Name: bcrypt -Version: 4.3.0 +Version: 5.0.0 Summary: Modern password hashing for your software and your servers Author-email: The Python Cryptographic Authority developers <[email protected]> License: Apache-2.0 @@ -17,6 +17,8 @@ Classifier: Programming Language :: Python :: 3.11 Classifier: Programming Language :: Python :: 3.12 Classifier: Programming Language :: Python :: 3.13 +Classifier: Programming Language :: Python :: 3.14 +Classifier: Programming Language :: Python :: Free Threading :: 3 - Stable Requires-Python: >=3.8 Description-Content-Type: text/x-rst License-File: LICENSE @@ -24,6 +26,7 @@ Requires-Dist: pytest!=3.3.0,>=3.2.1; extra == "tests" Provides-Extra: typecheck Requires-Dist: mypy; extra == "typecheck" +Dynamic: license-file bcrypt ====== @@ -78,8 +81,18 @@ Changelog ========= -Unreleased ----------- +5.0.0 +----- + +* Bumped MSRV to 1.74. +* Added support for Python 3.14 and free-threaded Python 3.14. +* Added support for Windows on ARM. +* Passing ``hashpw`` a password longer than 72 bytes now raises a + ``ValueError``. Previously the password was silently truncated, following the + behavior of the original OpenBSD ``bcrypt`` implementation. + +4.3.0 +----- * Dropped support for Python 3.7. * We now support free-threaded Python 3.13. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bcrypt-4.3.0/tests/test_bcrypt.py new/bcrypt-5.0.0/tests/test_bcrypt.py --- old/bcrypt-4.3.0/tests/test_bcrypt.py 2025-02-28 02:17:02.000000000 +0100 +++ new/bcrypt-5.0.0/tests/test_bcrypt.py 2025-09-25 21:42:04.000000000 +0200 @@ -122,24 +122,6 @@ b"$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a", ), ( - b"0123456789abcdefghijklmnopqrstuvwxyz" - b"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" - b"chars after 72 are ignored", - b"$2a$05$abcdefghijklmnopqrstuu", - b"$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui", - ), - ( - b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" - b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" - b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" - b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" - b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" - b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" - b"chars after 72 are ignored as usual", - b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.", - b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6", - ), - ( b"\xa3", b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.", b"$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq", @@ -252,6 +234,25 @@ assert bcrypt.checkpw(password, hashed) is True [email protected]( + ("pw_length", "should_raise"), + [ + (71, False), + (72, False), + (73, True), + ], +) +def test_hashpw_raises_correctly_for_long_passwords(pw_length, should_raise): + password = b"\xaa" * pw_length + salt = b"$2b$04$xnFVhJsTzsFBTeP3PpgbMe" + + if should_raise: + with pytest.raises(ValueError): + bcrypt.hashpw(password, salt) + else: + bcrypt.hashpw(password, salt) + + def test_hashpw_invalid(): with pytest.raises(ValueError): bcrypt.hashpw(b"password", b"$2z$04$cVWp4XaNU8a4v1uMRum2SO") @@ -490,15 +491,6 @@ bcrypt.kdf(password, salt, desired_key_bytes, rounds) -def test_2a_wraparound_bug(): - assert ( - bcrypt.hashpw( - (b"0123456789" * 26)[:255], b"$2a$04$R1lJ2gkNaoPGdafE.H.16." - ) - == b"$2a$04$R1lJ2gkNaoPGdafE.H.16.1MKHPvmKwryeulRe225LKProWYwt9Oi" - ) - - def test_multithreading(): def create_user(pw): salt = bcrypt.gensalt(4) ++++++ vendor.tar.gz ++++++ ++++ 824426 lines of diff (skipped)
