On Feb 8, 5:35 pm, "Rob Hudson" <[EMAIL PROTECTED]> wrote: > Should I file a bug to eventually use hashlib for >= Python 2.5? > Should I provide a patch which attempts to import hashlib and use it > if available, but otherwise falls back on md5/sha1?
Yes, file a bug so the idea is not forgotten. Patches are always welcome. > Some general confusion about what's going on in contrib.auth.models... > > There's 2 check_password methods in there. 1 in the global namespace > and 1 in the User class. User.check_password is there mainly to check > for an md5 password (by absence of a '$') and if it is an md5 > password, it converts it to the sha1 password and passes handling to > the global check_password. > > But set_password will only set a sha1 password. So why would the > global check_password need to check if the algo is 'md5' if > set_password could never use md5? Because Django used to use md5 hashes. > Could Django remove the BC check prior to 1.0 to clean this up? I > guess those applications that are in active use with real users this > would be bad since the only way to migrate this to sha1 would be to > know the actual password. Or a collision :) > Maybe I answered my own question. :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
